-
Notifications
You must be signed in to change notification settings - Fork 19
MariaDB
GitzJoey edited this page Sep 23, 2022
·
22 revisions
MariaDB is a community-developed, commercially supported fork of the MySQL relational database management system (RDBMS).
This project is using version 10.6 or Latest
-
Adding a repo
$ curl -LsS -O https://downloads.mariadb.com/MariaDB/mariadb_repo_setup $ bash mariadb_repo_setupCheck the repo, it will be added in
/etc/yum.repos.d/mariadb.repo -
Reset the repo
This to refresh the repo list$ dnf module reset mariadb -y -
Install
$ dnf install MariaDB-server MariaDB-client MariaDB-backup -
Enable and start the MariaDB services
$ systemctl enable --now mariadb $ systemctl status mariadb -
Securing your MariaDB (after installation)
$ mariadb-secure-installation
[mysqld]
# For accessing MariaDB from internet
skip-networking=0
skip-bind-address
# For low spec VPS
performance_schema=off
If u want to access mysql remotely
firewall-cmd --zone=public --add-service=mysql --permanent
firewall-cmd --reload
firewall-cmd --list-all
- Login local to mysql
$ mysql -u root -p - Create schema, user, and privileges
MariaDB [(none)] > CREATE DATABASE dcslab; MariaDB [(none)] > CREATE USER 'user1'@localhost IDENTIFIED BY 'password'; MariaDB [(none)] > GRANT ALL PRIVILEGES ON dcslab.* TO 'user1'@localhost; MariaDB [(none)] > FLUSH PRIVILEGES; - Verify user
MariaDB [(none)] > SHOW GRANTS FOR 'user1'@localhost;
- Create directory to store the MariaDB SSL .pem file
$ mkdir /etc/mariadb_ssl/ $ cd /etc/mariadb_ssl/ - Create new CA key
$ openssl genrsa 4096 > ca-key.pem $ openssl req -new -x509 -nodes -days 365000 -key ca-key.pem -out ca-cert.pem - Creating the SSL Certificates
Upon filling up the form, make sure the Common Name value is unique.$ openssl req -newkey rsa:2048 -days 365000 -nodes -keyout server-key.pem -out server-req.pem $ openssl x509 -req -in server-req.pem -days 365000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem - Create the Client Certificate
Upon filling up the form, make sure the Common Name value is unique.$ openssl req -newkey rsa:2048 -days 365000 -nodes -keyout client-key.pem -out client-req.pem $ openssl rsa -in client-key.pem -out client-key.pem $ openssl x509 -req -in client-req.pem -days 365000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem - Adding the certificates to the MariaDB server
There's 2 part of MariaDB section that required to be configure
-
[server] section
ssl-ca=/etc/mariadb_ssl/ca-cert.pem ssl-cert=/etc/mariadb_ssl/server-cert.pem ssl-key=/etc/mariadb_ssl/server-key.pem tls_version=TLSv1.2,TLSv1.3 -
[client] section
ssl-ca=/etc/mysql/mariadb_ssl/ca-cert.pem ssl-cert=/etc/mariadb_ssl/client-cert.pem ssl-key=/etc/mariadb_ssl/client-key.pem
-
[server] section
- Change the file owner to mysql
$ chown -R mysql:root /etc/mariadb_ssl/ - Apply the changes
$ systemctl restart mysqld - Check the SSL is configured properly
MariaDB [(none)] > SHOW VARIABLES LIKE'%ssl%';
Specially for user with '%' host
- For new user
MariaDB [(none)] > - For existing user
MariaDB [(none)] > GRANT ALL PRIVILEGES ON dcslab.* TO 'gitzjoey'@'%' IDENTIFIED BY 'password' REQUIRE SSL; - Check user configuration
MariaDB [(none)] > show create user 'user1';
We're using DBeaver as sample
Make sure upon create connection check the Use SSL in SSL tab
- Require cert file
- ca-cert.pem
- client-cert.pem
- client-key.pem
- Advanced
- Require SSL (checked)
- Verify server certificate (unchecked)
- Allow public key retrieval (unchecked)
$ mysql -u SSL_USER -–ssl-ca=/etc/mariadb_ssl/ca-cert.pem -–ssl-cert=/etc/mariadb_ssl/client-cert.pem -–ssl-key=/etc/mariadb_ssl/client-key.pem